When the FFIEC issued the 2011 Supplement to the Authentication, the goal was simple: to mitigate evolving forms of account takeover fraud.
The idea was that all banking channels offered to remote customers needed to be protected by at least two separate factors of authentication. The three types of recommended verification methods included something the customer knows (PII, password, security questions), something the customer is (fingerprint, DNA, retinal pattern), and something the customer owns (ID card, telephone, security token).
Because criminals continue to get better at circumventing knowledge-based authentication (KBA) solutions, the FFIEC recommendations steered clear of banking institutions employing two forms of authentication that fell under a single criteria. For example, combining a bunch of challenge questions with password verification did not qualify as dual-customer identification strategies. In the eyes of the FFIEC, that would still be one form of customer authentication.
Over the last few years, some financial institutions have been slow to deploy two-factor authentication solutions that meet the FFIEC defined guidelines. But many have invested their defenses to help detect and prevent account takeovers and other types of fraud.
So, how has it worked out? According to findings in a recent survey conducted by the Information Security Media Group and sponsored by PhishLabs, there’s still plenty more to be done.
Of the financial institutions surveyed, 71 percent said account takeover incidents have stayed the same or even increased since 2011. Respondents also said that fraud losses related to account takeovers have remained the same or increased over the same period.
While the FFIEC authentication guidelines may be helping banks thwart certain levels of fraud, over time crooks are going to learn how to get around defenses. It’s the nature of the beast.
In the recent article, “Account Takeovers: Did FFIEC Guidance Make a Difference?” John LaCour, CEO of PhishLabs, said to stop new forms of fraud attacks, defenses need to evolve, too.
“This is partly explained by just the prevalence of cybercrime. Attacks like phishing, banking Trojans and telephone phishing remain pervasive … Part of the challenge here is keeping up with these attacks – not just the volume of them, but how they’ve evolved to become more resilient and work around the countermeasures we, as the good guys, are putting in place against them.”
Instead of implementing authentication tools that look for abnormal or suspicious behavior, banks and businesses need to implement technologies that proactively detect fraud early. Preventing fraud from happening in the first place is critical to staying ahead of the bad guys, added LaCour.
“Banks should be investing more in detecting attacks that are attempting to compromise accounts – being further up in the attacker workflow, if you will, to try to stop the attacks. If you’re detecting anomalies, then the bad guy is already in the door. … Detecting phishing attacks, detecting malware attacks and implementing technologies and services to help mitigate those attacks by blocking them or taking them offline [are] key components to reducing the amount of fraud that’s experienced.”
Most financial institutions continue to invest in stronger defenses to help reduce account takeovers and other forms of bank fraud. But with criminals now overcoming existing authentication strategies, we need to ask ourselves if we’re doing enough to stop bank fraud. If we’re putting money into reactive solutions that are letting criminals in the door, the answer is no. Which would leave us with one conclusion: We need to do more.